Enable “Jail Apache” in the “Tweak Settings” area, and change users to jailshell in the “Manage Shell Access” area

I actually have Apache running in Prefork with FastCGI, rather than RUID 2, because it still says "Experimental".
But I also have all users Shell access set to disabled
So wouldn't it be better to accept such a setup as secure/aok?

A lot of times on VZ systems the kernel modules are managed by the parent server and not your virtual server.

Prefork/FCGI is fine, just make sure you're using some sort of cross-account symlink protection if you're hosting multiple domains. Since you're not using SuPHP I'd recommend the rack911 patch as opposed to the EasyApache "Symlink race condition protection" patch. The reason for this is that the EA patch checks ownership of every file it serves, and if you're not using SuPHP, the server might refuse to serve "nobody" owned files which would be created when web applications upload or update files. The Rack911 patch, while not perfect, is usually good enough and works with any PHP handler.